WO2012100531A1 - Method, apparatus and system for forwarding packet - Google Patents

Method, apparatus and system for forwarding packet Download PDF

Info

Publication number
WO2012100531A1
WO2012100531A1 PCT/CN2011/078924 CN2011078924W WO2012100531A1 WO 2012100531 A1 WO2012100531 A1 WO 2012100531A1 CN 2011078924 W CN2011078924 W CN 2011078924W WO 2012100531 A1 WO2012100531 A1 WO 2012100531A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
user
information
user terminal
address
Prior art date
Application number
PCT/CN2011/078924
Other languages
French (fr)
Chinese (zh)
Inventor
黄静
查敏
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2012100531A1 publication Critical patent/WO2012100531A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/365Application layer names, e.g. buddy names, unstructured names chosen by a user or home appliance name
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method, device and system for forwarding a message.
  • IPv4 Internet Protocol version 4, Internet Protocol version 4
  • IPv4 to IPv6 Internet Protocol version 6, 6th edition Internet Protocol
  • the carrier needs to deploy a CGN (Carrier Grade NAT) device to reuse the public network IPv4 address (hereinafter referred to as the IP address).
  • CGN Carrier Grade NAT
  • IP address public network IPv4 address
  • many users share a public IP address after NAT (Network Address Translation).
  • NAT Network Address Translation
  • specific users cannot be found, which causes problems for some applications.
  • some national regulations require operators to support user traceability to combat cybercrime; some need to distinguish user applications based on IP addresses, such as user behavior analysis, application server to limit the number of concurrent download threads of users according to IP address, or according to IP address. To ban some users who keep sending articles. In this way, the user needs to be correctly distinguished by user identification and user traceability.
  • the CGN On the existing CGN network, the CGN generates a log file, which records the correspondence between the intranet information (such as the private IP address/port) and the external network information (such as the public IP address/port), and the time. Stamp, protocol type, etc.; log files can be stored locally or on a dedicated log server. Then, the user can query the log file to obtain further information of the user, such as the private network IP address, by using the information such as the IP address and the port number of the user's public network, thereby identifying the user, and then, according to the private network IP address and the like, to the AAA (Authentication Authorization Accounting) , authentication and authorization charging) The server queries and obtains the user's detailed information.
  • the AAA Authentication Authorization Accounting
  • each level of CGN log files needs to be queried in order to finally obtain user information, and the network is more complicated.
  • the log files of the operators are generally only open to the internal operators or law enforcement agencies of the operators, and are not open to other operators or websites. For example, downloading websites cannot access the logs of operators. The file gets the user information, so the user cannot be distinguished. Summary of the invention
  • the embodiment of the invention provides a method, a device and a system for forwarding a message, so as to solve the problem of user identification and traceability, network complexity and high log server load by accessing the CGN log server in the prior art.
  • the embodiment of the present invention provides a method for forwarding a packet, including: receiving, by a network address translation device, an Internet Protocol IP packet from a user terminal;
  • An embodiment of the present invention provides an apparatus for forwarding a message, including:
  • a receiver configured to receive, by the network address translation device, an internet protocol IP packet from the user terminal, and a conversion module, configured to perform network address translation on the IP packet;
  • An insertion module configured to insert information identifying the user in the converted IP packet
  • a transmitter configured to send the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
  • the embodiment of the invention provides a system for forwarding a message, which is characterized in that it comprises:
  • a network address translation device configured to receive an IP packet from the user terminal, perform network address translation on the IP packet, insert information identifying the user in the converted IP packet, and send the identifier into the identifier IP packet of the user's information;
  • a receiving device configured to receive the IP packet in which the information of the identified user is inserted, and identify the user terminal according to the information of the identifier user.
  • the network address translation device carries the information identifying the user in the user IP packet
  • the receiving device for example, a website/the forum server
  • the receiving device can perform the user according to the information of the user identified in the received IP packet.
  • Identification and traceability It can be seen that, because the IP packet carries the information identifying the user, the user can be identified in real time according to the information of the identified user without increasing the network complexity and the load of the log server, and then the user can be obtained. Detailed information to achieve user traceability.
  • BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will The drawings used in the description of the prior art are briefly introduced. It is obvious that the drawings in the following description are only some embodiments of the present invention, and are not laborious for those skilled in the art. Further drawings can also be obtained from these drawings.
  • FIG. 1 is a flowchart of a method for forwarding a message according to an embodiment of the present invention
  • FIG. 2 is a block diagram of an apparatus for forwarding a message according to an embodiment of the present invention
  • FIG. 3 is a block diagram of a system for forwarding a message according to an embodiment of the present invention.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
  • the embodiment of the present invention provides a method for forwarding a message, including: receiving, by a network address translation device, an Internet Protocol IP packet from a user terminal, inserting information identifying the user in the IP packet; and sending the insertion to the network
  • the IP packet that identifies the information of the user, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
  • the technical solution provided by the embodiment of the present invention can solve the problem of user identification and traceability, network complexity, and high load of the log server by accessing the CGN log server in the prior art.
  • FIG. 1 is a flowchart of a method for forwarding a packet according to an embodiment of the present invention. The specific steps are as follows: Step 101: A network address translation device receives an Internet Protocol IP packet from a user terminal.
  • the network address translation device can be a CGN device.
  • Step 102 Perform network address translation on the IP packet.
  • Step 103 Insert information identifying the user in the converted IP packet.
  • the information identifying the user is an identifier of a user who can identify a CGN, and is usually an IPv4 address of the user terminal.
  • the tunnel identifier of the user terminal to the CGN device includes an IPv6 address, a virtual private network VPN identifier, and a universal routing encapsulation.
  • IPv6 flow label IPv6 flow label
  • IPv4 addresses of many users in a CGN are the same; if the user directly establishes a tunnel with the CGN, for example, IPv4-in- An IPv6 tunnel. In this case, the user can be identified by identifying the IPv6 address through the tunnel. If the user establishes a tunnel with the CGN through the home gateway, the user needs to identify the CGN with the user's IPv4 address and tunnel identifier.
  • each level of CGN devices performs NAT translation on the user's IP packets and converts the translated IP packets. Insert the information identifying the user (the IP address before the NAT).
  • the website receives the final IP packet after the NAT conversion of the multi-level CGN device, the source IP address of the final IP packet and the source IP address are required. The information of the user is identified to identify the user.
  • each level of the CGN device performs NAT translation on the user's IP packet, but only the first-level CGN device inserts the identifier into the converted IP packet.
  • the user's information (the user's IP address and the identifier of the first-level CGN device, such as the public network IPv4 address or domain name that can uniquely identify the CGN device, etc.), when the website receives the final IP packet, according to the final The user who identifies the user carried in the IP packet can identify the user.
  • Step 104 Send the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
  • Example 1
  • the IP address of the user terminal passes through the primary CGN device, and the IPv4 address of the user terminal can identify the scene of the user as an example.
  • a CGN device has two users Userl (IPv4 address ip l) and User2 (IPv4 address ip2) accessing a certain website of the Internet under CGN1. According to an embodiment of the present invention, the process is as follows:
  • CGN1 receives IP packets from Userl and User2, and the source IP addresses are ip l and ip2 respectively.
  • CGN1 performs NAT translation on the IP packet.
  • the source IP address of the translated IP packet is an IPv4 address of CGN1.
  • CGN1 inserts the information ipl identifying User1 in the IP packet from User1, and inserts the information ip2 identifying User2 in the IP packet from User2;
  • the CGN1 re-encapsulates and transmits the IP packets from the Userl and User2 that are NAT-converted and inserted with the information identifying the user.
  • the website receives the IP packet from the CGN1
  • the information of the user that is carried in the packet is Ipl and ip2, you can distinguish between Userl and User2.
  • the site can identify Userl and take it as needed Take measures, such as restricting or prohibiting User 1 from accessing the website, or querying the user information server (for example, AAA server) according to the information ip 1 of the identification User 1, obtaining the detailed information of User1, and realizing the user traceability.
  • the user information server for example, AAA server
  • the IP address of the user terminal passes through the first-level CGN.
  • the IPv4 address of the user terminal cannot uniquely identify the scenario of a user in the CGN as an example.
  • a CGN device CGN1 has multiple home gateways CPE1, CPE2, etc., and there are multiple user terminals under one home gateway.
  • IPv4 address is ipl
  • User2 IPv4 address is ip2
  • IPv4 address is ip2
  • User6 IPv4 address is ip3
  • An IPv6 tunnel is established between CPE1 and CGN1.
  • the tunnel ID is IPv6_l.
  • the IP6 packet is encapsulated by the IPv6 tunnel.
  • the IPv6 tunnel is set up between CPE2 and CGN1.
  • the tunnel ID is IPv6_2 and encapsulated by IPv6 tunnel.
  • IP packet of the user terminal The users Userl, User2 and User5 access a certain website of the Internet, according to an embodiment of the present invention, the process is as follows:
  • CGN1 receives IPv6 tunnel packets from CPE1 and CPE2, and decapsulates the IPv6 tunnel packets. After decapsulation, the source IP addresses of IP packets from Userl, User2, and User5 are ipl, ip2, and ipl.
  • CGN1 performs NAT translation on the IP packet. After the conversion, the source IP address of the IP packets from User1, User2, and User5 is an IPv4 address of CGN1.
  • CGN1 inserts the information IPv6-l and ipl that identifies User1 in the IP packet from User1, inserts the information IPv6-l and ip2 that identifies User2 in the IP packet from User2, and inserts the identifier User5 in the IP packet from User5.
  • CGN1 repackages IP packets from Userl, User2, and User5, and sends information that identifies the user.
  • IP packet After receiving the IP packet from CGN1, the website can distinguish Userl according to the information of the user carried in the packet, namely IPv6-l and ipl, IPv6-l and ip2, IPv6_2 and ipl. User2 and User5. If necessary, you can query the user information server (for example, AAA server) based on the information identifying Userl, User2, and User5, and obtain detailed information of Userl, User2, and User5 to implement user traceability.
  • the user information server for example, AAA server
  • the IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN.
  • the CGNs at each level insert the information identifying the user into the IP packet as an example.
  • the user Userl (the IPv4 address is ipl) accesses a certain website of the Internet, and the IP packet of the user terminal passes through two levels of CGN devices, which are CGN1 and CGN2 in sequence.
  • the process is as follows: The CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ip1.
  • the CGN1 performs NAT translation on the IP packet, converts the source IP address into ip2, and inserts ipl into the IP packet. Then, the IP packet is re-encapsulated, and the source IP address is ip2, and the IP packet carrying the IP address is sent.
  • the CGN2 receives the IP packet from the CGN1, performs NAT translation on the IP packet, and uses the source IP address.
  • the address is converted to ip3, and the ip2 is inserted into the IP packet, and then the IP packet is re-encapsulated, and the IP packet whose source IP address is ip3 and carries the information ipl and ip2 of the userl is sent;
  • the website receives the IP packet, and identifies Userl according to the source IP address ip3 of the IP packet, and identifies the information ipl and ip2 of Userl.
  • the user information server for example, the AAA server
  • the user information server for example, the AAA server
  • the IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN. Only the first-level CGN inserts information identifying the user (including the IPv4 address of the user terminal) in the IP packet. As an example, the identification of the first-level CGN device. For example, under the CGN1 (identified as IPnl) user Userl (IPv4 address is ipO) and CGN2 (identified as IPn2), user User2 (IPv4 address is ipO) accesses a website on the Internet, and Userl's IP packet passes through the secondary CGN device. In this order, CGN1 and CGN3, the IP packet of User2 is to pass through the secondary CGN device, which in turn is CGN2 and CGN3. According to an embodiment of the present invention, the process is as follows:
  • the CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ip0.
  • the CGN1 performs NAT translation on the IP packet, converts the source IP address into ipl, and inserts an identifier into the IP packet.
  • CGN3 receives the IP packet from CGN1 and CGN2, and performs NAT translation on the IP packet from CGN1, and the source IP address after conversion is Ip3, NAT translation of the IP packet from CGN2, the source IP address is also ip3 after the conversion ;
  • CGN3 re-encapsulates and sends the converted IP packet;
  • the website receives the IP packet from CGN3, according to the The information of the identified user of the IP packet is ipO and IPnl, and ipO and IPn2 are available. Identifying Userl and User2.
  • the user information server for example, the AAA server
  • the user information server is queried according to the information of the identified user, and the user detailed information is obtained, so that the user can trace the source.
  • FIG. 2 it is a block diagram of a device for forwarding a message according to an embodiment of the present invention.
  • the device specifically includes a receiver 201, a conversion module 202, an insertion module 203, and a transmitter 204. among them:
  • the receiver 201 is configured to: the network address translation device receives an IP packet from the user terminal; and the network address translation device may be a CGN device.
  • the converting module 202 is configured to perform network address translation on the IP packet.
  • the inserting module 203 is configured to identify the information of the user in the converted IP packet.
  • the information identifying the user is an identifier of a user who can identify a CGN, usually a user terminal.
  • IPv4 address IPv4 address
  • other information such as the tunnel identifier IPv6 address of the user terminal to the CGN, and the virtual private network VPN identifier, The general route encapsulation GRE keyword, PPTP tunnel identifier, L2TP tunnel identifier, IPSec tunnel identifier, or IPv6 f low labe l (IPv6 flow label) to distinguish users; in some scenarios, users need to access multiple CGN devices to access a website; if each level of the CGN device inserts the information identifying the user in the IP packet after the NAT is translated, the user needs to be identified according to the source IP address of the final IP packet and the information identifying the user therein; The first-level CGN device inserts information identifying the user (the IP address of the user and the identifier of the first-level CGN device) in the NAT-transformed IP packet, and only needs to identify the user information carried in the final IP
  • a transmitter 204 configured to send the IP packet in which the information of the identified user is inserted, so that the
  • the network device of the IP packet identifies the user terminal according to the information identifying the user.
  • Example 5 The network device of the IP packet identifies the user terminal according to the information identifying the user.
  • the IP address of the user terminal passes through the primary CGN device, and the IPv4 address of the user terminal can identify the scene of the user as an example.
  • a CGN device has two users Userl (IPv4 address ip l) and User2 (IPv4 address ip2) accessing a certain website of the Internet under CGN1. According to an embodiment of the present invention, the process is as follows:
  • the receiver 201 receives IP packets from User1 and User2, and the source IP addresses are ipl and ip2 , respectively ;
  • the conversion module 202 performs NAT conversion on the IP packet, and the source IP address of the converted IP packet is an IPv4 address of the CGN1;
  • the inserting module 203 inserts the information ipl identifying the User1 in the IP packet from the User1, and inserts the information ip2 identifying the User2 in the IP packet from the User2 ;
  • the CGN1 re-encapsulates the IP packets from the Userl and User2 that have been NAT-transformed and inserted the information identifying the user, and then the sender 204 sends the IP packet.
  • the website receives the IP packet from the CGN1, the packet is received according to the packet.
  • the information of the identified users carried in the user is ipl and ip2, respectively, and Userl and User2 can be distinguished. If necessary, query the user information server (for example, AAA server) according to the information ipl of the identification Userl, and obtain the detailed information of Userl. User traceability.
  • the user information server for example, AAA server
  • the IP address of the user terminal passes through the first-level CGN.
  • the IPv4 address of the user terminal cannot uniquely identify the scenario of a user in the CGN as an example.
  • a CGN device CGN1 has multiple home gateways CPE1, CPE2, etc., and there are multiple user terminals under one home gateway.
  • User6 IPv4 address is ip3, etc.; assuming that CPE1 and CPE2 do not perform NAT translation, an IPv6 tunnel is established between CPE1 and CGN1, and the tunnel identifier is IPv6_1.
  • the IP packet of the user terminal is encapsulated by the IPv6 tunnel.
  • An IPv6 tunnel is established between CPE2 and CGN1.
  • the tunnel ID is IPv6_2, and the IP packets of the user terminal are encapsulated by the IPv6 tunnel.
  • Users Userl, User2 and User5 access a certain website of the Internet, according to an embodiment of the present invention, the process is as follows:
  • Receiver 201 receives the IPv6 tunnel packet from CPE1 and CPE2, and CGN1 decapsulates the IPv6 tunnel packet. After decapsulation, the source IP addresses of IP packets from Userl, User2, and User5 are ipl, ip2, and ipl. ;
  • the conversion module 202 performs NAT conversion on the IP packet, and the source IP address of the IP packet from User1, User2, and User5 is an IPv4 address of CGN1;
  • the inserting module 203 inserts the information IPv6-1 and ipl identifying the User1 in the IP packet from the User1, and inserts the information IPv6-1 and ip2 identifying the User2 in the IP packet from the User2, and inserts the IP packet from the User5. Identifies the information of User5, IPv6-2 and ipl;
  • CGN1 re-encapsulates the IP packets from User1, User2, and User5.
  • the sender 204 sends an IP packet with the information identifying the user.
  • the information is IPv6-l and ipl, IPv6-l and ip2, IPv6_2 and ipl, which can distinguish Userl, User2 and User5.
  • AAA server for example, AAA server
  • the IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN.
  • the CGNs at each level insert the information identifying the user into the IP packet as an example.
  • the user Userl (the IPv4 address is ipl) accesses a certain website of the Internet, and the IP packet of the user terminal passes through two levels of CGN devices, which are CGN1 and CGN2 in sequence.
  • the process is as follows:
  • the receiver 201 of the CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ipl.
  • the conversion module 202 of the CGN1 performs NAT translation on the IP packet, and converts the source IP address into ip2, CGN1.
  • the inserting module 203 inserts ipl into the IP packet, and then the CGN1 re-encapsulates the IP packet, and the transmitter 204 of the CGN1 sends the IP packet whose source IP address is ip2 and carries the IP1; the receiver 201 of the CGN2 Receiving the IP packet from the CGN1, the conversion module 202 of the CGN2 performs NAT translation on the IP packet, and converts the source IP address into ip3.
  • the insertion module 203 of the CGN1 inserts ip2 into the IP packet, and then CGN2 Re-encapsulating the IP packet, the sender 204 of the CGN2 sends the IP packet whose source IP address is ip3, carrying ip1 and ip2; finally, the website receives the IP packet from CGN2, according to the The source IP address ip3 of the IP packet, which identifies the information ipl and ip2 of Userl, can identify Userl. If necessary, the user information server (for example, the AAA server) is queried according to the information of the user1, and the detailed information of the user1 is obtained, so that the user can trace the source.
  • the user information server for example, the AAA server
  • the IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN. Only the first-level CGN device inserts information identifying the user in the IP packet (including the IPv4 of the user terminal). Take the address and the identifier of the first-level CGN device as an example. For example, under CGN1 (identified as IPnl), User Userl (IPv4 address is ipO) and CGN2 (identified as IPn2), User User2 (IPv4 address is ipO) accesses a website on the Internet, and Userl's IP packet passes through the secondary CGN device. In this order, CGN1 and CGN3, the IP packet of User2 is to pass through the secondary CGN device, which in turn is CGN2 and CGN3. According to an embodiment of the present invention, the process is as follows:
  • the receiver 201 of the CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ip0.
  • the conversion module 202 of the CGN1 performs NAT translation on the IP packet, and converts the source IP address into ipl, CGN1.
  • the inserting module 203 inserts the information ipO and IPn1 identifying the User1 in the IP packet, and the CGN1 re-encapsulates the IP packet, and the transmitter 204 of the CGN1 sends the IP packet whose source IP address is ipl and carries ipO and IPnl.
  • the receiver 201 of the CGN2 receives the IP packet from the user 2, and the source IP address of the IP packet is ip0.
  • the conversion module 202 of the CGN2 performs NAT translation on the IP packet, and converts the source IP address into ip2.
  • the insertion module 203 of the CGN2 inserts the information ipO and IPn2 identifying the User2 in the IP packet, and the CGN2 re-encapsulates the IP packet, and the transmitter 204 of the CGN2 sends the source IP address as ip2, carrying ipO and IPn2.
  • CGN3 receives IP packets from CGN1 and CGN2, performs NAT translation on IP packets from CGN1, and converts the source IP address to ip3, performs NAT translation on IP packets from CGN2, and converts the source IP address.
  • FIG. 3 is a system block diagram of a forwarding packet according to an embodiment of the present invention, which includes: a network address translation device 301, configured to receive an IP packet from a user terminal, and perform network address translation on the IP packet. Inserting, in the converted IP packet, information identifying the user, and sending the IP packet in which the information of the identified user is inserted;
  • a network address translation device 301 configured to receive an IP packet from a user terminal, and perform network address translation on the IP packet. Inserting, in the converted IP packet, information identifying the user, and sending the IP packet in which the information of the identified user is inserted;
  • the receiving device 302 is configured to receive the IP packet in which the information of the identified user is inserted, and identify the user terminal according to the information of the identifier user.
  • the user can trace and source the user in real time by carrying the information identifying the user in the IP packet, and solve the problem of user identification and traceability by querying the log file in the prior art, and the network complexity And the problem of high load on the log server.
  • a person skilled in the art can understand that all or part of the steps of implementing the above embodiments may be completed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, and the storage medium may be a ROM. /RAM, disk or CD, etc.

Abstract

Disclosed are a method, an apparatus and a system for forwarding a packet. A network address translation device receives an Internet Protocol (IP) packet from a user terminal; network address translation is performed on the IP packet; information for identifying a user is inserted in the IP packet; the IP packet in which the information for identifying a user is inserted is sent, so that a network device receiving the IP packet distinguishes the user terminal according to the information for identifying a user. By use of the technical solutions provided in the embodiments of the present invention, solved may be a problem in the prior art that a user is distinguished and traced to the source by querying a log file so the network complexity and the load of a log server are high.

Description

一种转发报文的方法, 装置和系统 本申请要求于 2011年 1月 26日提交中国专利局、 申请号为 201110028650. 3、发明 名称为 "一种转发报文的方法, 装置和系统"的中国专利申请的优先权, 其全部内容通 过引用结合在本申请中。 技术领域 本发明涉及网络通信领域, 尤其涉及一种转发报文的方法, 装置和系统。 背景技术 在 IPv4 ( Internet Protocol version 4, 第四版互联网协议)地址即将耗尽, IPv4 向 IPv6 ( Internet Protocol version 6, 第六版互联网协议) 过渡的阶段, 由于 IPv6 尚未大规模应用, 短时间内还无法解决地址短缺问题; 为了解决地址短缺问题, 运营商 需要部署 CGN ( Carrier Grade NAT, 运营商级网络地址转换) 设备来复用公网 IPv4地 址 (以下简称 IP地址)。 但是在部署 CGN之后, 很多用户经过 NAT (Network Address Translation, 网络地址转换) 后共享一个公网 IP地址, 根据公网 IP地址将无法找到 具体用户, 因此给一些应用带来问题。 例如有的国家法规要求运营商支持用户溯源以打 击网络犯罪; 有些需要根据 IP地址来区分用户的应用, 例如用户行为分析、 应用服务 器根据 IP地址来限制用户的并发下载线程数量、或者根据 IP地址来禁止一些不停乱发 文章的用户。 这样一来, 就需要通过用户识别和用户溯源来正确区分用户。  Method, device and system for forwarding messages, the application is submitted to the Chinese Patent Office on January 26, 2011, and the application number is 201110028650. 3. The invention name is "a method, device and system for forwarding messages" Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference. The present invention relates to the field of network communications, and in particular, to a method, device and system for forwarding a message. BACKGROUND In the transition of IPv4 (Internet Protocol version 4, Internet Protocol version 4) address, IPv4 to IPv6 (Internet Protocol version 6, 6th edition Internet Protocol), since IPv6 has not been applied on a large scale, in a short time The address shortage problem cannot be solved. To solve the address shortage problem, the carrier needs to deploy a CGN (Carrier Grade NAT) device to reuse the public network IPv4 address (hereinafter referred to as the IP address). However, after the CGN is deployed, many users share a public IP address after NAT (Network Address Translation). According to the public IP address, specific users cannot be found, which causes problems for some applications. For example, some national regulations require operators to support user traceability to combat cybercrime; some need to distinguish user applications based on IP addresses, such as user behavior analysis, application server to limit the number of concurrent download threads of users according to IP address, or according to IP address. To ban some users who keep sending articles. In this way, the user needs to be correctly distinguished by user identification and user traceability.
现有部署 CGN的网络中, CGN会生成日志文件, 日志记录用户内网侧信息 (例如私网 IP地址 /端口)与外网侧信息 (例如公网 IP地址 /端口)的对应关系, 以及时间戳,协议类 型等信息; 日志文件可以存储在本地, 也可以存放到专用的日志服务器上。 然后可以通 过用户公网 IP地址及端口号等信息, 查询日志文件获得用户进一步的信息, 例如私网 IP地址等,从而识别用户,然后还可以根据私网 IP地址等信息向 AAA (Authentication Authorization Accounting, 认证授权计费) 服务器查询并获取用户的详细信息。 在 有多级 CGN的情况下, 需要查询每一级 CGN日志文件才能最终获得用户信息, 网络更加 复杂。 另一方面, 出于用户信息保密及安全等原因, 运营商的日志文件一般只向运营商 自身内部或者执法机构开放, 不向其他运营商或网站开放, 例如下载网站是无法访问运 营商的日志文件获取用户信息的, 从而无法区分用户。 发明内容 On the existing CGN network, the CGN generates a log file, which records the correspondence between the intranet information (such as the private IP address/port) and the external network information (such as the public IP address/port), and the time. Stamp, protocol type, etc.; log files can be stored locally or on a dedicated log server. Then, the user can query the log file to obtain further information of the user, such as the private network IP address, by using the information such as the IP address and the port number of the user's public network, thereby identifying the user, and then, according to the private network IP address and the like, to the AAA (Authentication Authorization Accounting) , authentication and authorization charging) The server queries and obtains the user's detailed information. In the case of multi-level CGN, each level of CGN log files needs to be queried in order to finally obtain user information, and the network is more complicated. On the other hand, for the sake of confidentiality and security of user information, the log files of the operators are generally only open to the internal operators or law enforcement agencies of the operators, and are not open to other operators or websites. For example, downloading websites cannot access the logs of operators. The file gets the user information, so the user cannot be distinguished. Summary of the invention
本发明实施例提供了一种转发报文的方法, 装置和系统, 以解决现有技术中通过访 问 CGN日志服务器进行用户识别和溯源, 网络复杂度和日志服务器负载高的问题。  The embodiment of the invention provides a method, a device and a system for forwarding a message, so as to solve the problem of user identification and traceability, network complexity and high log server load by accessing the CGN log server in the prior art.
为解决上述技术问题, 本发明实施例提供了一种转发报文的方法, 包括: 网络地址转换设备接收来自用户终端的互联网协议 IP报文;  To solve the above technical problem, the embodiment of the present invention provides a method for forwarding a packet, including: receiving, by a network address translation device, an Internet Protocol IP packet from a user terminal;
对所述 IP报文进行网络地址转换;  Performing network address translation on the IP packet;
在转换后的 IP报文中插入标识用户的信息;  Inserting information identifying the user in the converted IP packet;
发送所述插入了所述标识用户的信息的 IP报文, 以使接收到所述 IP报文的网络设 备根据所述标识用户的信息识别所述用户终端。  Sending the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
本发明实施例提供了一种转发报文的装置, 包括:  An embodiment of the present invention provides an apparatus for forwarding a message, including:
接收器, 用于网络地址转换设备接收来自用户终端的互联网协议 IP报文; 转换模块, 用于对所述 IP报文进行网络地址转换;  a receiver, configured to receive, by the network address translation device, an internet protocol IP packet from the user terminal, and a conversion module, configured to perform network address translation on the IP packet;
插入模块, 用于在转换后的 IP报文中插入标识用户的信息;  An insertion module, configured to insert information identifying the user in the converted IP packet;
发送器, 用于发送所述插入了所述标识用户的信息的 IP报文, 以使接收到所述 IP 报文的网络设备根据所述标识用户的信息识别所述用户终端。  And a transmitter, configured to send the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
本发明实施例提供了一种转发报文的系统, 其特征在于, 包括:  The embodiment of the invention provides a system for forwarding a message, which is characterized in that it comprises:
网络地址转换设备, 用于接收来自用户终端的 IP报文, 对所述 IP报文进行网络地 址转换, 在转换后的 IP报文中插入标识用户的信息, 并发送所述插入了所述标识用户 的信息的 IP报文;  a network address translation device, configured to receive an IP packet from the user terminal, perform network address translation on the IP packet, insert information identifying the user in the converted IP packet, and send the identifier into the identifier IP packet of the user's information;
接收设备, 用于接收所述插入了所述标识用户的信息的 IP报文, 并根据所述标识 用户的信息识别所述用户终端。  And a receiving device, configured to receive the IP packet in which the information of the identified user is inserted, and identify the user terminal according to the information of the identifier user.
本发明实施例具有以下优点:  Embodiments of the invention have the following advantages:
在本发明实施例中, 网络地址转换设备通过在用户 IP 报文中携带标识用户的 信息, 接收设备例如某网站 /论坛服务器, 可以根据收到的所述 IP报文中标识用户 的信息进行用户识别和溯源。 可以看出, 因为所述 IP 报文中携带了标识用户的信 息, 可以使得在不增加网络复杂度和日志服务器负载的情况下, 能够依据所述标识 用户的信息实时识别用户, 进而可以获取用户详细信息, 实现用户溯源。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施例或 现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图 仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动 性的前提下, 还可以根据这些附图获得其他的附图。 In the embodiment of the present invention, the network address translation device carries the information identifying the user in the user IP packet, and the receiving device, for example, a website/the forum server, can perform the user according to the information of the user identified in the received IP packet. Identification and traceability. It can be seen that, because the IP packet carries the information identifying the user, the user can be identified in real time according to the information of the identified user without increasing the network complexity and the load of the log server, and then the user can be obtained. Detailed information to achieve user traceability. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will The drawings used in the description of the prior art are briefly introduced. It is obvious that the drawings in the following description are only some embodiments of the present invention, and are not laborious for those skilled in the art. Further drawings can also be obtained from these drawings.
图 1是本发明实施例提供的一种转发报文的方法流程图;  FIG. 1 is a flowchart of a method for forwarding a message according to an embodiment of the present invention;
图 2是本发明实施例提供的一种转发报文的装置框图;  2 is a block diagram of an apparatus for forwarding a message according to an embodiment of the present invention;
图 3是本发明实施例提供的一种转发报文的系统框图; 具体实施方式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明的一部分实施例, 而不是全部的 实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出创造性劳动前提 下所获得的所有其他实施例, 都属于本发明保护的范围。  FIG. 3 is a block diagram of a system for forwarding a message according to an embodiment of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供了一种转发报文的方法, 包括: 网络地址转换设备接收来自用户 终端的互联网协议 IP报文, 在所述 IP报文中插入标识用户的信息; 向网络发送所述插 入了所述标识用户的信息的 IP报文, 以使接收到所述 IP报文的网络设备根据所述标识 用户的信息识别所述用户终端。 采用本发明实施例提供的技术方案, 可以解决现有技术 中通过访问 CGN日志服务器进行用户识别和溯源, 网络复杂度和日志服务器负载高的问 题。  The embodiment of the present invention provides a method for forwarding a message, including: receiving, by a network address translation device, an Internet Protocol IP packet from a user terminal, inserting information identifying the user in the IP packet; and sending the insertion to the network The IP packet that identifies the information of the user, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user. The technical solution provided by the embodiment of the present invention can solve the problem of user identification and traceability, network complexity, and high load of the log server by accessing the CGN log server in the prior art.
为使本发明实施例的上述目的、 特征和优点能够更加明显易懂, 下面结合附图 和具体实施方式对本发明实施例作进一步详细的说明。  The above described objects, features and advantages of the embodiments of the present invention will become more apparent and understood.
参见图 1, 是本发明实施例提供的一种转发报文的方法流程图, 具体步骤如下: 步骤 101 : 网络地址转换设备接收来自用户终端的互联网协议 IP报文。  FIG. 1 is a flowchart of a method for forwarding a packet according to an embodiment of the present invention. The specific steps are as follows: Step 101: A network address translation device receives an Internet Protocol IP packet from a user terminal.
所述网络地址转换设备可以是 CGN设备。  The network address translation device can be a CGN device.
步骤 102: 对所述 IP报文进行网络地址转换。  Step 102: Perform network address translation on the IP packet.
步骤 103: 在转换后的 IP报文中插入标识用户的信息;  Step 103: Insert information identifying the user in the converted IP packet.
所述标识用户的信息是可以识别一个 CGN 下用户的标识, 通常是用户终端的 IPv4地址。  The information identifying the user is an identifier of a user who can identify a CGN, and is usually an IPv4 address of the user terminal.
但是某些场景下, 连接到同一个 CGN的用户终端可能有相同的 IPv4地址, 此时需 要使用其他信息, 如用户终端到 CGN设备的隧道标识包括 IPv6地址, 虚拟专用网 VPN 标识, 通用路由封装 GRE关键字, PPTP 隧道标识, L2TP隧道标识, IPSec 隧道标 识或 IPv6 flow labe l ( IPv6流标签) 等来区分用户。 例如轻型双桟 DS_Lite方案中, 多个家庭网关接入一个 CGN, 一个家庭网关下又有多个用户, 而所有家庭网关都使用 192. 0. 0. 0/29网段中除 192. 0. 0. 0和 192. 0. 0. 1外的地址给用户分配 IPv4地址, 这样 一来, 一个 CGN下很多用户的 IPv4地址都是相同的; 若用户直接与 CGN建立隧道, 例 如 IPv4-in-IPv6隧道, 此时, 通过隧道标识 IPv6地址就可以识别该用户; 若用户通过 家庭网关与 CGN建立隧道,此时就需要结合用户的 IPv4地址和隧道标识来识别一个 CGN 该用户。 However, in some scenarios, user terminals connected to the same CGN may have the same IPv4 address. Other information is required. For example, the tunnel identifier of the user terminal to the CGN device includes an IPv6 address, a virtual private network VPN identifier, and a universal routing encapsulation. GRE keyword, PPTP tunnel identifier, L2TP tunnel identifier, IPSec tunnel label Knowledge or IPv6 flow labe l (IPv6 flow label) to distinguish users. For example, in the DS-Lite solution, multiple home gateways access one CGN, and one home gateway has multiple users, and all home gateways use 192. 0. 0. 0/29 network segment except 192. 0. The addresses outside 0. 0 and 192. 0. 0. 1 assign IPv4 addresses to users. In this way, the IPv4 addresses of many users in a CGN are the same; if the user directly establishes a tunnel with the CGN, for example, IPv4-in- An IPv6 tunnel. In this case, the user can be identified by identifying the IPv6 address through the tunnel. If the user establishes a tunnel with the CGN through the home gateway, the user needs to identify the CGN with the user's IPv4 address and tunnel identifier.
此外, 还有某些场景下, 用户需要经过多个 CGN设备才能访问某网站; 一种方 式是, 每一级 CGN设备都对用户的 IP报文进行 NAT转换, 并在转换后的 IP报文中 插入标识用户的信息 ( NAT转换前的 IP地址), 当该网站收到经过多级 CGN设备 NAT 转换后的最终的 IP报文时,需要根据该最终的 IP报文的源 IP地址和其中携带的标 识用户的信息来识别该用户; 另一种方式是, 每一级 CGN设备都对用户的 IP报文进 行 NAT转换, 但是仅第一级 CGN设备在转换后的 IP报文中插入标识用户的信息 (用 户的 IP地址和第一级 CGN设备的标识, 如可以唯一标识该 CGN设备的公网 IPv4地址 或域名等), 当该网站收到最终的 IP报文时, 根据该最终的 IP报文中携带的标识用 户的信息就可以识别该用户。  In addition, in some scenarios, users need to go through multiple CGN devices to access a website. One way is that each level of CGN devices performs NAT translation on the user's IP packets and converts the translated IP packets. Insert the information identifying the user (the IP address before the NAT). When the website receives the final IP packet after the NAT conversion of the multi-level CGN device, the source IP address of the final IP packet and the source IP address are required. The information of the user is identified to identify the user. In another mode, each level of the CGN device performs NAT translation on the user's IP packet, but only the first-level CGN device inserts the identifier into the converted IP packet. The user's information (the user's IP address and the identifier of the first-level CGN device, such as the public network IPv4 address or domain name that can uniquely identify the CGN device, etc.), when the website receives the final IP packet, according to the final The user who identifies the user carried in the IP packet can identify the user.
步骤 104: 发送所述插入了所述标识用户的信息的 IP报文, 以使接收到所述 IP报 文的网络设备根据所述标识用户的信息识别所述用户终端。 实施例 1  Step 104: Send the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user. Example 1
以用户终端的 IP报文经过一级 CGN设备,用户终端的 IPv4地址可以标识该用户的场 景为例。 一个 CGN设备, CGN1下有两个用户 Userl ( IPv4地址为 ip l ) 和 User2 ( IPv4 地址为 ip2 ) 访问互联网某网站, 根据本发明实施例, 过程如下:  The IP address of the user terminal passes through the primary CGN device, and the IPv4 address of the user terminal can identify the scene of the user as an example. A CGN device has two users Userl (IPv4 address ip l) and User2 (IPv4 address ip2) accessing a certain website of the Internet under CGN1. According to an embodiment of the present invention, the process is as follows:
CGN1收到来自 Userl和 User2的 IP报文, 源 IP地址分别为 ip l和 ip2 ;  CGN1 receives IP packets from Userl and User2, and the source IP addresses are ip l and ip2 respectively.
CGN1对 IP报文进行 NAT转换, 转换后 IP报文的源 IP地址均为 CGN1的一个 IPv4地址; CGN1 performs NAT translation on the IP packet. The source IP address of the translated IP packet is an IPv4 address of CGN1.
CGN1在来自 Userl的 IP报文中插入标识 Userl的信息 ipl, 在来自 User2的 IP报文中插 入标识 User2的信息 ip2; CGN1 inserts the information ipl identifying User1 in the IP packet from User1, and inserts the information ip2 identifying User2 in the IP packet from User2;
CGN1重新封装并发送来自 Userl和 User2的经过 NAT转换并插入了标识用户的信息的 IP报文; 当该网站收到来自 CGN1的 IP报文后, 根据报文中携带的标识用户的信息分别是 ipl和 ip2, 就可以区分 Userl和 User2。 需要时, 该网站可以识别出 Userl并根据需要采 取措施, 如限制或禁止 User 1访问该网站, 或者根据标识 User 1的信息 ip 1查询用户信息 服务器 (例如 AAA服务器) , 获取 Userl的详细信息, 实现用户溯源。 实施例 2 The CGN1 re-encapsulates and transmits the IP packets from the Userl and User2 that are NAT-converted and inserted with the information identifying the user. When the website receives the IP packet from the CGN1, the information of the user that is carried in the packet is Ipl and ip2, you can distinguish between Userl and User2. When needed, the site can identify Userl and take it as needed Take measures, such as restricting or prohibiting User 1 from accessing the website, or querying the user information server (for example, AAA server) according to the information ip 1 of the identification User 1, obtaining the detailed information of User1, and realizing the user traceability. Example 2
以用户终端的 IP报文经过一级 CGN, 用户终端的 IPv4地址不能唯一标识一个 CGN下 用户的场景为例。 例如, 一个 CGN设备 CGN1下有多个家庭网关 CPE1、 CPE2等, 一个家庭 网关下有多个用户终端,如 CPE1下有 Userl ( IPv4地址为 ipl )、User2 ( IPv4地址为 ip2 ) 等, CPE2下有 User5 ( IPv4地址为 ipl )、 User6 ( IPv4地址为 ip3 )等。假设 CPE1和 CPE2 不做 NAT转换, CPE1与 CGN1间建立 IPv6隧道, 隧道标识为 IPv6_l, 通过 IPv6隧道封装用 户终端的 IP报文; CPE2与 CGN1间建立 IPv6隧道, 隧道标识为 IPv6_2, 通过 IPv6隧道封装 用户终端的 IP报文。 用户 Userl , User2和 User5访问互联网某网站, 根据本发明实施 例, 过程如下:  The IP address of the user terminal passes through the first-level CGN. The IPv4 address of the user terminal cannot uniquely identify the scenario of a user in the CGN as an example. For example, a CGN device CGN1 has multiple home gateways CPE1, CPE2, etc., and there are multiple user terminals under one home gateway. For example, there are Userl (IPv4 address is ipl) and User2 (IPv4 address is ip2) under CPE1, under CPE2. There are User5 (IPv4 address is ipl), User6 (IPv4 address is ip3), and so on. Assume that CPE1 and CPE2 do not perform NAT translation. An IPv6 tunnel is established between CPE1 and CGN1. The tunnel ID is IPv6_l. The IP6 packet is encapsulated by the IPv6 tunnel. The IPv6 tunnel is set up between CPE2 and CGN1. The tunnel ID is IPv6_2 and encapsulated by IPv6 tunnel. IP packet of the user terminal. The users Userl, User2 and User5 access a certain website of the Internet, according to an embodiment of the present invention, the process is as follows:
CGN1收到来自 CPE1和 CPE2的 IPv6隧道报文, 并对 IPv6隧道报文进行解封装; 解 封装后, 来自 Userl , User2和 User5的 IP报文的源 IP地址分别是 ipl, ip2, ipl ;  CGN1 receives IPv6 tunnel packets from CPE1 and CPE2, and decapsulates the IPv6 tunnel packets. After decapsulation, the source IP addresses of IP packets from Userl, User2, and User5 are ipl, ip2, and ipl.
CGN1对 IP报文进行 NAT转换, 转换后, 来自 Userl, User2和 User5的 IP报文的源 IP 地址均为 CGN1的一个 IPv4地址;  CGN1 performs NAT translation on the IP packet. After the conversion, the source IP address of the IP packets from User1, User2, and User5 is an IPv4 address of CGN1.
CGN1在来自 Userl的 IP报文中插入标识 Userl的信息 IPv6-l和 ipl, 在来自 User2的 IP报文中插入标识 User2的信息 IPv6-l和 ip2, 在来自 User5的 IP报文中插入标识 User5 的信息 IPv6-2和 ipl ;  CGN1 inserts the information IPv6-l and ipl that identifies User1 in the IP packet from User1, inserts the information IPv6-l and ip2 that identifies User2 in the IP packet from User2, and inserts the identifier User5 in the IP packet from User5. Information for IPv6-2 and ipl;
CGN1重新封装来自 Userl , User2和 User5的 IP报文, 发送插入了标识用户的信息的 CGN1 repackages IP packets from Userl, User2, and User5, and sends information that identifies the user.
IP报文; 当该网站收到来自 CGN1的 IP报文后, 根据报文中携带的标识用户的信息分别是 IPv6-l和 ipl, IPv6-l和 ip2, IPv6_2和 ipl, 就可以区分 Userl , User2和 User5。 需要 时,可以根据标识 Userl , User2和 User5的信息查询用户信息服务器(例如 AAA服务器), 获取 Userl , User2和 User5的详细信息, 实现用户溯源。 实施例 3 IP packet; After receiving the IP packet from CGN1, the website can distinguish Userl according to the information of the user carried in the packet, namely IPv6-l and ipl, IPv6-l and ip2, IPv6_2 and ipl. User2 and User5. If necessary, you can query the user information server (for example, AAA server) based on the information identifying Userl, User2, and User5, and obtain detailed information of Userl, User2, and User5 to implement user traceability. Example 3
以用户终端的 IP报文经过多级 CGN设备, 用户终端的 IPv4地址可以标识一个 CGN下 用户, 各级 CGN都在所述 IP报文中插入标识用户的信息为例。 例如用户 Userl ( IPv4地 址为 ipl ) 访问互联网某网站, 用户终端的 IP报文要经过两级 CGN设备, 依次是 CGN1 和 CGN2, 根据本发明实施例, 过程如下: CGN1接收来自 Userl的 IP报文, 所述 IP报文的源 IP地址为 ipl, CGN1对所述 IP报文进 行 NAT转换, 将源 IP地址转换为 ip2, 并在所述 IP报文中插入 ipl, 然后重新封装所述 IP 报文, 并发送所述源 IP地址为 ip2、 携带了 ipl的 IP报文; CGN2接收来自 CGN1的 IP报文, 对所述 IP报文进行 NAT转换, 将源 IP地址转换为 ip3, 并在所述 IP报文中插入 ip2, 然后 重新封装所述 IP报文, 并发送所述源 IP地址为 ip3、 携带了标识 Userl的信息 ipl和 ip2的 IP报文; 最后, 该网站收到所述 IP报文, 根据所述 IP报文的源 IP地址 ip3, 标识 Userl的 信息 ipl和 ip2, 就可以识别 Userl。 需要时, 根据标识 Userl的信息查询用户信息服务器 (例如 AAA服务器) , 获取 Userl的详细信息, 可以实现用户溯源。 实施例 4 The IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN. The CGNs at each level insert the information identifying the user into the IP packet as an example. For example, the user Userl (the IPv4 address is ipl) accesses a certain website of the Internet, and the IP packet of the user terminal passes through two levels of CGN devices, which are CGN1 and CGN2 in sequence. According to an embodiment of the present invention, the process is as follows: The CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ip1. The CGN1 performs NAT translation on the IP packet, converts the source IP address into ip2, and inserts ipl into the IP packet. Then, the IP packet is re-encapsulated, and the source IP address is ip2, and the IP packet carrying the IP address is sent. The CGN2 receives the IP packet from the CGN1, performs NAT translation on the IP packet, and uses the source IP address. The address is converted to ip3, and the ip2 is inserted into the IP packet, and then the IP packet is re-encapsulated, and the IP packet whose source IP address is ip3 and carries the information ipl and ip2 of the userl is sent; The website receives the IP packet, and identifies Userl according to the source IP address ip3 of the IP packet, and identifies the information ipl and ip2 of Userl. If necessary, the user information server (for example, the AAA server) is queried according to the information of the user1, and the detailed information of the user1 is obtained, so that the user can trace the source. Example 4
以用户终端的 IP报文经过多级 CGN设备, 用户终端的 IPv4地址可以标识一个 CGN下 用户, 仅第一级 CGN在所述 IP报文中插入标识用户的信息 (包括该用户终端的 IPv4地址 和第一级 CGN设备的标识) 为例。 例如, CGN1 (标识为 IPnl ) 下用户 Userl ( IPv4地址 为 ipO ) 和 CGN2 (标识为 IPn2) 下用户 User2 ( IPv4地址为 ipO ) 访问互联网某网站, Userl的 IP报文要经过二级 CGN设备, 依次是 CGN1和 CGN3, User2的 IP报文要经过二级 CGN设备, 依次是 CGN2和 CGN3, 根据本发明实施例, 过程如下:  The IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN. Only the first-level CGN inserts information identifying the user (including the IPv4 address of the user terminal) in the IP packet. As an example, the identification of the first-level CGN device. For example, under the CGN1 (identified as IPnl) user Userl (IPv4 address is ipO) and CGN2 (identified as IPn2), user User2 (IPv4 address is ipO) accesses a website on the Internet, and Userl's IP packet passes through the secondary CGN device. In this order, CGN1 and CGN3, the IP packet of User2 is to pass through the secondary CGN device, which in turn is CGN2 and CGN3. According to an embodiment of the present invention, the process is as follows:
CGN1接收来自 Userl的 IP报文, 所述 IP报文的源 IP地址为 ip0, CGN1对所述 IP报文进 行 NAT转换,将源 IP地址转换为 ipl,并在所述 IP报文中插入标识 Userl的信息 ipO和 IPnl, 然后重新封装所述 IP报文,并发送所述源 IP地址为 ipl、携带了 ipO和 IPnl的 IP报文; CGN2 接收来自 User2的 IP报文, 所述 IP报文的源 IP地址为 ip0, CGN2对所述 IP报文进行 NAT转 换, 将源 IP地址转换为 ip2, 并在所述 IP报文中插入标识 User2的信息 ipO和 IPn2, 然后 重新封装所述 IP报文, 并发送所述源 IP地址为 ip2、 携带了 ipO和 IPn2的 IP报文; CGN3接 收来自 CGN1和 CGN2的 IP报文,对来自 CGN1的 IP报文进行 NAT转换,转换后源 IP地址是 ip3, 对来自 CGN2的 IP报文进行 NAT转换, 转换后源 IP地址也是 ip3; CGN3重新封装并发送所述 转换后的 IP报文; 最后, 该网站收到来自 CGN3的 IP报文, 根据所述 IP报文的标识用户的 信息分别为 ipO和 IPnl, ipO和 IPn2就可以识别 Userl和 User2。 需要时, 根据标识用户的 信息查询用户信息服务器 (例如 AAA服务器) , 获取用户详细信息, 可以实现用户溯源。 参见图 2, 是本发明实施例提供的一种转发报文的装置框图, 该装置具体包括接 收器 201, 转换模块 202, 插入模块 203和发送器 204。 其中: 接收器 201, 用于网络地址转换设备接收来自用户终端的 IP报文; 所述网络地址转换设备可以是 CGN设备。 The CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ip0. The CGN1 performs NAT translation on the IP packet, converts the source IP address into ipl, and inserts an identifier into the IP packet. Userl's information ipO and IPnl, and then re-encapsulating the IP packet, and sending the IP packet whose source IP address is ipl, carrying ipO and IPnl; CGN2 receiving the IP packet from User2, the IP packet The source IP address is ip0, and CGN2 performs NAT translation on the IP packet, converts the source IP address to ip2, and inserts information ipO and IPn2 identifying User2 in the IP packet, and then re-encapsulates the IP packet. And sending the IP packet whose source IP address is ip2 and carrying ipO and IPn2; CGN3 receives the IP packet from CGN1 and CGN2, and performs NAT translation on the IP packet from CGN1, and the source IP address after conversion is Ip3, NAT translation of the IP packet from CGN2, the source IP address is also ip3 after the conversion ; CGN3 re-encapsulates and sends the converted IP packet; Finally, the website receives the IP packet from CGN3, according to the The information of the identified user of the IP packet is ipO and IPnl, and ipO and IPn2 are available. Identifying Userl and User2. If necessary, the user information server (for example, the AAA server) is queried according to the information of the identified user, and the user detailed information is obtained, so that the user can trace the source. Referring to FIG. 2, it is a block diagram of a device for forwarding a message according to an embodiment of the present invention. The device specifically includes a receiver 201, a conversion module 202, an insertion module 203, and a transmitter 204. among them: The receiver 201 is configured to: the network address translation device receives an IP packet from the user terminal; and the network address translation device may be a CGN device.
转换模块 202, 用于对所述 IP报文进行网络地址转换;  The converting module 202 is configured to perform network address translation on the IP packet.
插入模块 203, 用于在转换后的 IP报文中标识用户的信息;  The inserting module 203 is configured to identify the information of the user in the converted IP packet.
所述标识用户的信息是可以识别一个 CGN 下用户的标识, 通常是用户终端的 The information identifying the user is an identifier of a user who can identify a CGN, usually a user terminal.
IPv4地址; 但是某些场景下, 连接到同一个 CGN的用户终端可能有相同的 IPv4地址, 此时需要使用其他信息, 如所述用户终端到 CGN 的隧道标识 IPv6 地址, 虚拟专用网 VPN标识, 通用路由封装 GRE关键字, PPTP隧道标识, L2TP隧道标识, IPSec隧道 标识或 IPv6 f low labe l ( IPv6流标签) 等来区分用户; 还有某些场景下, 用户需 要经过多个 CGN设备才能访问某网站; 若每一级 CGN设备都在 NAT转换后的 IP报 文中插入标识用户的信息时,需要根据最终的 IP报文的源 IP地址和其中标识用户的 信息来识别该用户; 若仅仅第一级 CGN设备在 NAT转换后的 IP报文中插入标识用户 的信息(该用户的 IP地址和第一级 CGN设备的标识), 只需根据最终的 IP报文中携带 的标识用户的信息就可以识别该用户。 IPv4 address; However, in some scenarios, user terminals connected to the same CGN may have the same IPv4 address. In this case, other information, such as the tunnel identifier IPv6 address of the user terminal to the CGN, and the virtual private network VPN identifier, The general route encapsulation GRE keyword, PPTP tunnel identifier, L2TP tunnel identifier, IPSec tunnel identifier, or IPv6 f low labe l (IPv6 flow label) to distinguish users; in some scenarios, users need to access multiple CGN devices to access a website; if each level of the CGN device inserts the information identifying the user in the IP packet after the NAT is translated, the user needs to be identified according to the source IP address of the final IP packet and the information identifying the user therein; The first-level CGN device inserts information identifying the user (the IP address of the user and the identifier of the first-level CGN device) in the NAT-transformed IP packet, and only needs to identify the user information carried in the final IP packet. It is possible to identify the user.
发送器 204,用于发送所述插入了所述标识用户的信息的 IP报文, 以使接收到所述 a transmitter 204, configured to send the IP packet in which the information of the identified user is inserted, so that the
IP报文的网络设备根据所述标识用户的信息识别所述用户终端。 实施例 5 The network device of the IP packet identifies the user terminal according to the information identifying the user. Example 5
以用户终端的 IP报文经过一级 CGN设备,用户终端的 IPv4地址可以标识该用户的场 景为例。 一个 CGN设备, CGN1下有两个用户 Userl ( IPv4地址为 ip l ) 和 User2 ( IPv4 地址为 ip2 ) 访问互联网某网站, 根据本发明实施例, 过程如下:  The IP address of the user terminal passes through the primary CGN device, and the IPv4 address of the user terminal can identify the scene of the user as an example. A CGN device has two users Userl (IPv4 address ip l) and User2 (IPv4 address ip2) accessing a certain website of the Internet under CGN1. According to an embodiment of the present invention, the process is as follows:
接收器 201收到来自 Userl和 User2的 IP报文, 源 IP地址分别为 ipl和 ip2 ; The receiver 201 receives IP packets from User1 and User2, and the source IP addresses are ipl and ip2 , respectively ;
转换模块 202对 IP报文进行 NAT转换, 转换后 IP报文的源 IP地址均为 CGN1的一个 IPv4 地址;  The conversion module 202 performs NAT conversion on the IP packet, and the source IP address of the converted IP packet is an IPv4 address of the CGN1;
插入模块 203在来自 Userl的 IP报文中插入标识 Userl的信息 ipl, 在来自 User2的 IP 报文中插入标识 User2的信息 ip2; The inserting module 203 inserts the information ipl identifying the User1 in the IP packet from the User1, and inserts the information ip2 identifying the User2 in the IP packet from the User2 ;
CGN1重新封装来自 Userl和 User2的经过 NAT转换并插入了标识用户的信息的 IP报 文, 然后发送器 204发送所述 IP报文; 当该网站收到来自 CGN1的 IP报文后, 根据报文中 携带的标识用户的信息分别是 ipl和 ip2, 就可以区分 Userl和 User2。 需要时, 根据标识 Userl的信息 ipl查询用户信息服务器 (例如 AAA服务器) , 获取 Userl的详细信息, 实现 用户溯源。 实施例 6 The CGN1 re-encapsulates the IP packets from the Userl and User2 that have been NAT-transformed and inserted the information identifying the user, and then the sender 204 sends the IP packet. When the website receives the IP packet from the CGN1, the packet is received according to the packet. The information of the identified users carried in the user is ipl and ip2, respectively, and Userl and User2 can be distinguished. If necessary, query the user information server (for example, AAA server) according to the information ipl of the identification Userl, and obtain the detailed information of Userl. User traceability. Example 6
以用户终端的 IP报文经过一级 CGN, 用户终端的 IPv4地址不能唯一标识一个 CGN下 用户的场景为例。 例如, 一个 CGN设备 CGN1下有多个家庭网关 CPE1、 CPE2等, 一个家庭 网关下有多个用户终端,如 CPE1下有 Userl ( IPv4地址为 ipl )、User2 ( IPv4地址为 ip2 ) 等, CPE2下有 User5 ( IPv4地址为 ipl )、 User6 ( IPv4地址为 ip3 )等;假设 CPE1和 CPE2 不做 NAT转换, CPE1与 CGN1间建立 IPv6隧道, 隧道标识为 IPv6_l, 通过 IPv6隧道封装用 户终端的 IP报文; CPE2与 CGN1间建立 IPv6隧道, 隧道标识为 IPv6_2, 通过 IPv6隧道封装 用户终端的 IP报文。 用户 Userl, User2和 User5访问互联网某网站, 根据本发明实施 例, 过程如下:  The IP address of the user terminal passes through the first-level CGN. The IPv4 address of the user terminal cannot uniquely identify the scenario of a user in the CGN as an example. For example, a CGN device CGN1 has multiple home gateways CPE1, CPE2, etc., and there are multiple user terminals under one home gateway. For example, there are Userl (IPv4 address is ipl) and User2 (IPv4 address is ip2) under CPE1, under CPE2. User5 (IPv4 address is ipl), User6 (IPv4 address is ip3), etc.; assuming that CPE1 and CPE2 do not perform NAT translation, an IPv6 tunnel is established between CPE1 and CGN1, and the tunnel identifier is IPv6_1. The IP packet of the user terminal is encapsulated by the IPv6 tunnel. An IPv6 tunnel is established between CPE2 and CGN1. The tunnel ID is IPv6_2, and the IP packets of the user terminal are encapsulated by the IPv6 tunnel. Users Userl, User2 and User5 access a certain website of the Internet, according to an embodiment of the present invention, the process is as follows:
接收器 201收到来自 CPE1和 CPE2的 IPv6隧道报文, CGN1对 IPv6隧道报文进行解封 装; 解封装后, 来自 Userl, User2和 User5的 IP报文的源 IP地址分别是 ipl, ip2和 ipl ;  Receiver 201 receives the IPv6 tunnel packet from CPE1 and CPE2, and CGN1 decapsulates the IPv6 tunnel packet. After decapsulation, the source IP addresses of IP packets from Userl, User2, and User5 are ipl, ip2, and ipl. ;
转换模块 202对 IP报文进行 NAT转换,转换后来自 Userl, User2和 User5的 IP报文的 源 IP地址均为 CGN1的一个 IPv4地址;  The conversion module 202 performs NAT conversion on the IP packet, and the source IP address of the IP packet from User1, User2, and User5 is an IPv4 address of CGN1;
插入模块 203在来自 Userl的 IP报文中插入标识 Userl的信息 IPv6-l和 ipl, 在来自 User2的 IP报文中插入标识 User2的信息 IPv6-l和 ip2,在来自 User5的 IP报文中插入标识 User5的信息 IPv6-2和 ipl ;  The inserting module 203 inserts the information IPv6-1 and ipl identifying the User1 in the IP packet from the User1, and inserts the information IPv6-1 and ip2 identifying the User2 in the IP packet from the User2, and inserts the IP packet from the User5. Identifies the information of User5, IPv6-2 and ipl;
CGN1重新封装来自 Userl , User2和 User5的 IP报文, 发送器 204发送插入了标识用 户的信息的 IP报文; 当该网站收到来自 CGN1的 IP报文后, 根据报文中携带的标识用户的 信息分别是 IPv6-l和 ipl, IPv6-l和 ip2, IPv6_2和 ipl, 就可以区分 Userl, User2和 User5。需要时,可以根据标识 Userl , User2和 User5的信息的查询用户信息服务器(例 如 AAA服务器) , 获取 Userl , User2和 User5的详细信息, 可以实现用户溯源。 实施例 7  CGN1 re-encapsulates the IP packets from User1, User2, and User5. The sender 204 sends an IP packet with the information identifying the user. When the website receives the IP packet from CGN1, it identifies the user according to the identifier carried in the packet. The information is IPv6-l and ipl, IPv6-l and ip2, IPv6_2 and ipl, which can distinguish Userl, User2 and User5. If necessary, you can query the user information server (for example, AAA server) based on the information identifying Userl, User2, and User5 to obtain detailed information of Userl, User2, and User5, which can be used to trace the source. Example 7
以用户终端的 IP报文经过多级 CGN设备, 用户终端的 IPv4地址可以标识一个 CGN下 用户, 各级 CGN都在所述 IP报文中插入标识用户的信息为例。例如用户 Userl ( IPv4地址 为 ipl ) 访问互联网某网站, 用户终端的 IP报文要经过两级 CGN设备, 依次是 CGN1和 CGN2, 根据本发明实施例, 过程如下: CGNl的接收器 201接收来自 Userl的 IP报文, 所述 IP报文的源 IP地址为 ipl, CGNl的 转换模块 202对所述 IP报文进行 NAT转换, 将源 IP地址转换为 ip2, CGNl的插入模块 203在 所述 IP报文中插入 ipl, 然后 CGNl重新封装所述 IP报文, CGN1的发送器 204发送所述源 IP 地址为 ip2、 携带了 ipl的 IP报文; CGN2的接收器 201接收来自 CGN1的所述 IP报文, CGN2 的转换模块 202对所述 IP报文进行 NAT转换, 将源 IP地址转换为 ip3, CGNl的插入模块 203 在所述 IP报文中插入 ip2, 然后 CGN2重新封装所述 IP报文, CGN2的发送器 204发送所述源 IP地址为 ip3、 携带了 ipl和 ip2的 IP报文; 最后, 该网站收到来自 CGN2的所述 IP报文, 根据所述 IP报文的源 IP地址 ip3, 标识 Userl的信息 ipl和 ip2, 就可以识别 Userl。 需要 时, 根据标识 Userl的信息查询用户信息服务器 (例如 AAA服务器) , 获取 Userl的详细 信息, 可以实现用户溯源。 实施例 8 The IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN. The CGNs at each level insert the information identifying the user into the IP packet as an example. For example, the user Userl (the IPv4 address is ipl) accesses a certain website of the Internet, and the IP packet of the user terminal passes through two levels of CGN devices, which are CGN1 and CGN2 in sequence. According to an embodiment of the present invention, the process is as follows: The receiver 201 of the CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ipl. The conversion module 202 of the CGN1 performs NAT translation on the IP packet, and converts the source IP address into ip2, CGN1. The inserting module 203 inserts ipl into the IP packet, and then the CGN1 re-encapsulates the IP packet, and the transmitter 204 of the CGN1 sends the IP packet whose source IP address is ip2 and carries the IP1; the receiver 201 of the CGN2 Receiving the IP packet from the CGN1, the conversion module 202 of the CGN2 performs NAT translation on the IP packet, and converts the source IP address into ip3. The insertion module 203 of the CGN1 inserts ip2 into the IP packet, and then CGN2 Re-encapsulating the IP packet, the sender 204 of the CGN2 sends the IP packet whose source IP address is ip3, carrying ip1 and ip2; finally, the website receives the IP packet from CGN2, according to the The source IP address ip3 of the IP packet, which identifies the information ipl and ip2 of Userl, can identify Userl. If necessary, the user information server (for example, the AAA server) is queried according to the information of the user1, and the detailed information of the user1 is obtained, so that the user can trace the source. Example 8
以用户终端的 IP报文经过多级 CGN设备, 用户终端的 IPv4地址可以标识一个 CGN下 用户, 仅第一级 CGN设备在所述 IP报文中插入标识用户的信息 (包括该用户终端的 IPv4 地址和第一级 CGN设备的标识) 为例。 例如, CGN1 (标识为 IPnl ) 下用户 Userl ( IPv4 地址为 ipO ) 和 CGN2 (标识为 IPn2) 下用户 User2 ( IPv4地址为 ipO ) 访问互联网某网 站, Userl的 IP报文要经过二级 CGN设备, 依次是 CGN1和 CGN3, User2的 IP报文要经过 二级 CGN设备, 依次是 CGN2和 CGN3, 根据本发明实施例, 过程如下:  The IP address of the user terminal passes through the multi-level CGN device, and the IPv4 address of the user terminal can identify a user under the CGN. Only the first-level CGN device inserts information identifying the user in the IP packet (including the IPv4 of the user terminal). Take the address and the identifier of the first-level CGN device as an example. For example, under CGN1 (identified as IPnl), User Userl (IPv4 address is ipO) and CGN2 (identified as IPn2), User User2 (IPv4 address is ipO) accesses a website on the Internet, and Userl's IP packet passes through the secondary CGN device. In this order, CGN1 and CGN3, the IP packet of User2 is to pass through the secondary CGN device, which in turn is CGN2 and CGN3. According to an embodiment of the present invention, the process is as follows:
CGN1的接收器 201接收来自 Userl的 IP报文, 所述 IP报文的源 IP地址为 ip0, CGNl的 转换模块 202对所述 IP报文进行 NAT转换, 将源 IP地址转换为 ipl, CGN1的插入模块 203在 所述 IP报文中插入标识 Userl的信息 ipO和 IPnl, CGN1重新封装所述 IP报文, CGN1的发送 器 204发送所述源 IP地址为 ipl、 携带了 ipO和 IPnl的 IP报文; CGN2的接收器 201接收来自 User2的 IP报文, 所述 IP报文的源 IP地址为 ip0, CGN2的转换模块 202对所述 IP报文进行 NAT转换, 将源 IP地址转换为 ip2, CGN2的插入模块 203在所述 IP报文中插入标识 User2的 信息 ipO和 IPn2, CGN2重新封装所述 IP报文, CGN2的发送器 204发送所述源 IP地址为 ip2、 携带了 ipO和 IPn2的 IP报文; CGN3接收来自 CGN1和 CGN2的 IP报文, 对来自 CGN1的 IP报文 进行 NAT转换, 转换后源 IP地址是 ip3, 对来自 CGN2的 IP报文进行 NAT转换, 转换后源 IP 地址也是 ip3; CGN3重新封装并发送所述转换后的 IP报文; 最后, 该网站收到来自 CGN3 的 IP报文, 根据所述 IP报文中标识用户的信息分别为 ipO和 IPnl, ipO和 IPn2就可以识别 Userl和 User2。 需要时, 根据标识用户的信息查询用户信息服务器 (例如 AAA服务器) , 获取用户详细信息, 可以实现用户溯源。 参见图 3, 是本发明实施例提供的一种转发报文的系统框图, 其中包括: 网络地址转换设备 301, 用于接收来自用户终端的 IP报文, 对所述 IP报文进行网 络地址转换, 在转换后的 IP报文中插入标识用户的信息, 并发送所述插入了所述标识 用户的信息的 IP报文; The receiver 201 of the CGN1 receives the IP packet from the user1, and the source IP address of the IP packet is ip0. The conversion module 202 of the CGN1 performs NAT translation on the IP packet, and converts the source IP address into ipl, CGN1. The inserting module 203 inserts the information ipO and IPn1 identifying the User1 in the IP packet, and the CGN1 re-encapsulates the IP packet, and the transmitter 204 of the CGN1 sends the IP packet whose source IP address is ipl and carries ipO and IPnl. The receiver 201 of the CGN2 receives the IP packet from the user 2, and the source IP address of the IP packet is ip0. The conversion module 202 of the CGN2 performs NAT translation on the IP packet, and converts the source IP address into ip2. The insertion module 203 of the CGN2 inserts the information ipO and IPn2 identifying the User2 in the IP packet, and the CGN2 re-encapsulates the IP packet, and the transmitter 204 of the CGN2 sends the source IP address as ip2, carrying ipO and IPn2. IP packets; CGN3 receives IP packets from CGN1 and CGN2, performs NAT translation on IP packets from CGN1, and converts the source IP address to ip3, performs NAT translation on IP packets from CGN2, and converts the source IP address. Also ip3 ; CGN3 re-encapsulates and sends the converted IP packet Finally, the website receives the IP packet from CGN3, and according to the information identifying the user in the IP packet, ipO and IPnl, ipO and IPn2 can identify Userl and User2. If necessary, query the user information server (for example, AAA server) according to the information identifying the user. Obtain user details and implement user traceability. FIG. 3 is a system block diagram of a forwarding packet according to an embodiment of the present invention, which includes: a network address translation device 301, configured to receive an IP packet from a user terminal, and perform network address translation on the IP packet. Inserting, in the converted IP packet, information identifying the user, and sending the IP packet in which the information of the identified user is inserted;
接收设备 302,用于接收所述插入了所述标识用户的信息的 IP报文,并根据所述标 识用户的信息识别所述用户终端。 采用本发明实施例提供的技术方案, 由于通过在 IP报文中携带了标识用户的信息, 可以实时用户溯源和识别用户, 解决现有技术中通过查询日志文件进行用户识别和溯 源, 网络复杂度和日志服务器负载高的问题。 本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通 过程序来指令相关的硬件完成, 所述的程序可以存储于计算机可读存储介质中, 所述存 储介质可以是 ROM/RAM, 磁盘或光盘等。  The receiving device 302 is configured to receive the IP packet in which the information of the identified user is inserted, and identify the user terminal according to the information of the identifier user. By adopting the technical solution provided by the embodiment of the present invention, the user can trace and source the user in real time by carrying the information identifying the user in the IP packet, and solve the problem of user identification and traceability by querying the log file in the prior art, and the network complexity And the problem of high load on the log server. A person skilled in the art can understand that all or part of the steps of implementing the above embodiments may be completed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, and the storage medium may be a ROM. /RAM, disk or CD, etc.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替 换, 都应涵盖在本发明的保护范围之内。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention.

Claims

权利要求 Rights request
1、 一种转发报文的方法, 其特征在于, 包括:  A method for forwarding a message, comprising:
网络地址转换设备接收来自用户终端的互联网协议 IP报文;  The network address translation device receives an internet protocol IP packet from the user terminal;
对所述 IP报文进行网络地址转换;  Performing network address translation on the IP packet;
在转换后的 IP报文中插入标识用户的信息;  Inserting information identifying the user in the converted IP packet;
发送所述插入了所述标识用户的信息的 IP报文, 以使接收到所述 IP报文的网络设 备根据所述标识用户的信息识别所述用户终端。  Sending the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
2、 根据权利要求 1所述的方法, 其特征在于, 所述标识用户的信息包括所述用户 终端的 IP地址和 /或所述用户终端到所述网络地址转换设备的隧道标识。  The method according to claim 1, wherein the information identifying the user comprises an IP address of the user terminal and/or a tunnel identifier of the user terminal to the network address translation device.
3、 根据权利要求 2所述的方法, 其特征在于, 所述标识用户的信息还包括所述网 络地址转换设备的设备标识。  The method according to claim 2, wherein the information identifying the user further comprises a device identifier of the network address translation device.
4、 根据权利要求 2或 3所述的方法, 其特征在于, 当所述标识用户的信息包含所 述用户终端到所述网络地址转换设备的隧道标识时, 所述隧道标识包括 IPv6地址, 虚 拟专用网 VPN标识, 通用路由封装协议 GRE关键字, 点对点隧道协议 PPTP 隧道标 识, 第二层隧道协议 L2TP隧道标识, 因特网协议安全 IPSec隧道标识或 IPv6流标 签。  The method according to claim 2 or 3, wherein, when the information identifying the user includes the tunnel identifier of the user terminal to the network address translation device, the tunnel identifier includes an IPv6 address, and is virtual. Private network VPN identity, Generic Routing Encapsulation Protocol GRE keyword, Point-to-Point Tunneling Protocol PPTP Tunneling Identity, Layer 2 Tunneling Protocol L2TP Tunneling Identity, Internet Protocol Security IPSec Tunneling Identity or IPv6 Flow Labeling.
5、 一种转发报文的装置, 其特征在于, 包括:  5. A device for forwarding a message, comprising:
接收器, 用于网络地址转换设备接收来自用户终端的互联网协议 IP报文; 转换模块, 用于对所述 IP报文进行网络地址转换;  a receiver, configured to receive, by the network address translation device, an internet protocol IP packet from the user terminal, and a conversion module, configured to perform network address translation on the IP packet;
插入模块, 用于在转换后的 IP报文中插入标识用户的信息;  An insertion module, configured to insert information identifying the user in the converted IP packet;
发送器, 用于发送所述插入了所述标识用户的信息的 IP报文, 以使接收到所述 IP 报文的网络设备根据所述标识用户的信息识别所述用户终端。  And a transmitter, configured to send the IP packet in which the information of the identified user is inserted, so that the network device that receives the IP packet identifies the user terminal according to the information of the identified user.
7、 根据权利要求 6所述的装置, 其特征在于, 所述标识用户的信息包括所述用户 终端的 IP地址和 /或所述用户终端到所述网络地址转换设备的隧道标识。  The device according to claim 6, wherein the information identifying the user comprises an IP address of the user terminal and/or a tunnel identifier of the user terminal to the network address translation device.
8、 根据权利要求 7所述的装置, 其特征在于, 所述标识用户的信息还包括所述网 络地址转换设备的设备标识。  The device according to claim 7, wherein the information identifying the user further comprises a device identifier of the network address translation device.
9、 根据权利要求 7或 8所述的装置, 其特征在于, 当所述标识用户的信息包含所 述用户终端的 IP地址和 /或所述用户终端到所述网络地址转换设备的隧道标识时,所述 隧道标识包括 IPv4-in-IPv6隧道标识,虚拟专用网 VPN隧道标识,通用路由封装 GRE 隧道标识, PPTP隧道标识, L2TP隧道标识或 IPsec隧道标识或 IPv6流标签。 10、 一种转发报文的系统, 其特征在于, 包括: The device according to claim 7 or 8, wherein when the information identifying the user includes an IP address of the user terminal and/or a tunnel identifier of the user terminal to the network address translation device The tunnel identifier includes an IPv4-in-IPv6 tunnel identifier, a virtual private network VPN tunnel identifier, a universal route encapsulation GRE tunnel identifier, a PPTP tunnel identifier, an L2TP tunnel identifier or an IPsec tunnel identifier, or an IPv6 flow label. A system for forwarding a message, comprising:
网络地址转换设备, 用于接收来自用户终端的 IP报文, 对所述 IP报文进行网络地 址转换, 在转换后的 IP报文中插入标识用户的信息, 并发送所述插入了所述标识用户 的信息的 IP报文;  a network address translation device, configured to receive an IP packet from the user terminal, perform network address translation on the IP packet, insert information identifying the user in the converted IP packet, and send the identifier into the identifier IP packet of the user's information;
接收设备, 用于接收所述插入了所述标识用户的信息的 IP报文, 并根据所述标识 用户的信息识别所述用户终端。  And a receiving device, configured to receive the IP packet in which the information of the identified user is inserted, and identify the user terminal according to the information of the identifier user.
PCT/CN2011/078924 2011-01-26 2011-08-25 Method, apparatus and system for forwarding packet WO2012100531A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2011100286503A CN102624935A (en) 2011-01-26 2011-01-26 Method, device and system for forwarding packet
CN201110028650.3 2011-01-26

Publications (1)

Publication Number Publication Date
WO2012100531A1 true WO2012100531A1 (en) 2012-08-02

Family

ID=46564617

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/078924 WO2012100531A1 (en) 2011-01-26 2011-08-25 Method, apparatus and system for forwarding packet

Country Status (2)

Country Link
CN (1) CN102624935A (en)
WO (1) WO2012100531A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104935490A (en) * 2015-07-15 2015-09-23 上海地面通信息网络有限公司 Mobile internet terminal accessing apparatus based on cloud virtual machine

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001966B (en) * 2012-12-11 2016-06-08 杭州迪普科技有限公司 The process of a kind of private network IP, recognition methods and device
CN103139326B (en) * 2013-03-06 2015-12-23 中国联合网络通信集团有限公司 IP source tracing method, equipment and system
CN103731515A (en) * 2014-01-15 2014-04-16 中国联合网络通信集团有限公司 Internet protocol (IP) source tracing method, device and system
CN103825763B (en) * 2014-02-26 2018-01-05 中国联合网络通信集团有限公司 The method and system that a kind of user traces to the source
CN104125621A (en) * 2014-08-11 2014-10-29 上海云联计算机系统有限公司 Mobile terminal data packet tracking and identifying method and device of wireless router
CN104993993B (en) * 2015-05-13 2018-06-15 华为技术有限公司 A kind of message processing method, equipment and system
CN111277494B (en) * 2016-02-16 2021-08-13 华为技术有限公司 Message transmission method and device
CN105812372A (en) * 2016-03-23 2016-07-27 东北大学 Single-packet tracing method based on label switching
CN106027508A (en) * 2016-05-11 2016-10-12 北京网御星云信息技术有限公司 Authentication encrypted data transmission method and device
CN107395778B (en) * 2016-05-16 2020-09-04 华为技术有限公司 User source tracing method, device and system
CN107548099B (en) * 2016-06-28 2021-10-22 华为技术有限公司 Data transmission method and device
CN106713296B (en) * 2016-12-15 2020-05-01 天津交控科技有限公司 Data isolation method for main line and test line and communication equipment used for method
CN106656635A (en) * 2017-02-14 2017-05-10 杭州迪普科技股份有限公司 Method and apparatus for monitoring message forwarding flow
CN109981329A (en) * 2017-12-28 2019-07-05 华为终端有限公司 Determine the method, equipment and system of network equipment connection relationship
CN108989175B (en) * 2018-07-26 2020-10-02 新华三技术有限公司 Communication method and device
CN110086702B (en) * 2019-04-04 2021-09-21 杭州迪普科技股份有限公司 Message forwarding method and device, electronic equipment and machine-readable storage medium
CN110061993B (en) * 2019-04-23 2022-06-24 新华三技术有限公司 Log generation method and device containing public network exit address and access equipment
CN112272157B (en) * 2020-09-15 2022-07-26 杭州数梦工场科技有限公司 Method and device for converting host IP address, computer equipment and storage medium
CN113259393B (en) * 2021-06-28 2021-09-24 北京华云安信息技术有限公司 Data forwarding method and device based on multi-level nodes
CN113905364B (en) * 2021-10-25 2023-07-04 广州通则康威智能科技有限公司 Router uplink data tracing method, device, computer equipment and storage medium
CN114401120A (en) * 2021-12-27 2022-04-26 中国电信股份有限公司 Object tracing method and related device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030014593A1 (en) * 2001-07-12 2003-01-16 International Business Machines Corporation Incremental tag build for hierarchical memory architecture
CN101047548A (en) * 2006-03-31 2007-10-03 株式会社日立制作所 Communication in multiple NAT private network
CN101047568A (en) * 2006-05-12 2007-10-03 华为技术有限公司 Method and device of legal listening
CN101488904A (en) * 2009-02-27 2009-07-22 杭州华三通信技术有限公司 Method for GRE tunnel crossing network address translation apparatus and network address translation apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030014593A1 (en) * 2001-07-12 2003-01-16 International Business Machines Corporation Incremental tag build for hierarchical memory architecture
CN101047548A (en) * 2006-03-31 2007-10-03 株式会社日立制作所 Communication in multiple NAT private network
CN101047568A (en) * 2006-05-12 2007-10-03 华为技术有限公司 Method and device of legal listening
CN101488904A (en) * 2009-02-27 2009-07-22 杭州华三通信技术有限公司 Method for GRE tunnel crossing network address translation apparatus and network address translation apparatus

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104935490A (en) * 2015-07-15 2015-09-23 上海地面通信息网络有限公司 Mobile internet terminal accessing apparatus based on cloud virtual machine

Also Published As

Publication number Publication date
CN102624935A (en) 2012-08-01

Similar Documents

Publication Publication Date Title
WO2012100531A1 (en) Method, apparatus and system for forwarding packet
US20210385154A1 (en) Multipath data transmission method and device
TWI549452B (en) Systems and methods for application-specific access to virtual private networks
JP5889445B2 (en) Method and apparatus for identifying an application associated with an IP flow using DNS data
CN105453488B (en) For handling the method and system of DNS request
CN110417840B (en) Information processing method and device
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
JP5335886B2 (en) Method and apparatus for communicating data packets between local networks
CN112714194B (en) Method for accessing intranet equipment by extranet host and network topology structure
US9674142B2 (en) Monitoring network traffic
CN107404470A (en) Connection control method and device
JP2016522627A (en) Packet processing method and apparatus
CN101902482B (en) Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
Al-kasassbeh et al. Winning tactics with DNS tunnelling
WO2014101041A1 (en) Ipv6 address tracing method, device, and system
CN112039905B (en) Reverse connection-based network communication method and device, electronic equipment and medium
CN114024741A (en) Request processing method and device, flow proxy terminal, equipment and readable storage medium
JP2020522190A (en) Packet transfer
US8176161B2 (en) Method and system for content-based routing of network traffic
CN110474922B (en) Communication method, PC system and access control router
CN101925038B (en) Data transmission method, communication device and network system
CN101945053B (en) Method and device for transmitting message
CN107979619B (en) TWAMP session negotiation method, client and server
Henderson et al. Using the Host Identity Protocol with legacy applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11857386

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11857386

Country of ref document: EP

Kind code of ref document: A1